So I'm a bit confused trying to figure out how to tell if a user has read/write/executable permissions on files and/or directories in CentOS.
When I see:
-rw-r--r--. john john2 unconfined_u:object_r:user_home_t:s0 .config
-rw-r--r--. john john2 system_u:object_r:default_t:s0. .bashrc
after running ls -laZ,
that means the user "john" in group "john2" should have read/write permissions in both .confing and .bashrc? But what is unconfined_u and system_u have to do with it?
Best Answer
If you're just running the default targeted policy and haven't associated any user accounts with SELinux users, then all users will run unconfined and have a SELinux user
unconfined_u. This includes the root user when root logs in or a user uses su/sudo. System processes run as the SELinux usersystem_u. By default the targeted policy only confines system services, not users.You can, if you wish, confine users by associating their accounts with SELinux users, but this is not often done. It also may require some attention to setting or resetting the SELinux user on existing files.
The RHEL documentation has a lengthy explanation of the existing SELinux users, what those users are allowed to do, and the commands necessary to manage them. While you didn't ask, it also explains roles, which are complementary to users and allow users in that role to engage in specific activities, usually related to managing SELinux itself.